3 min read

Protecting Patient Privacy Beyond HIPAA

Featured Image

By: John Seaner, CMO, Swoop/IPM.ai

While a landmark for patient privacy when ratified in 1996, the Health Insurance Portability and Accountability Act (HIPAA) falls short when using de-identified health information for targeted advertising, thus creating risks for health marketers. To fill in the gaps left by HIPAA, the Network Advertising Initiative (NAI) creates a modern day framework for the responsible use of health data in a digital-first world. 

HIPAA regulates how protected health information (PHI) is handled and generally prevents its disclosure without a patient’s consent. However, there are several key exceptions that override this, including sharing data with other health care operations, for the benefit of the public (as is the case with Covid vaccination status), in cases of abuse, for worker’s compensation, as requested by law enforcement or deemed essential for government functions, with organ donation and in certain research. As a subset of the Privacy Rule, the Security Rule protects the confidentiality of electronic health information (e-PHI) and although it’s designed for a fully digital system, encryption is not mandatory. Given the exceptions that define HIPAA, covered entities are essentially forced to use their best judgment and act ethically, which is ambiguous and could lead to a breach, even inadvertently.

Because of HIPAA’s extensiveness and its many covered entities, compliance is a moving target. Typical violations are attributed to inadequate training, inadvertent internal disclosures or third-party hacks. And with respect to DTC marketing efforts, there are several ways to breach HIPAA. For example, if a patient completes a contact form or survey on a health website and in any way indicates a diagnosis, it must be protected as PHI and now handling this data is subject to HIPAA. However, since HIPAA was not created exclusively for targeted advertising, certain ambiguities prevail. For instance, although HIPAA certification attests a data set is de-identified, it does not guarantee privacy within the segment itself. The most obvious example is if a condition-specific segment consists of a single person and that person receives an ad, it’s clear they have the disease. 

These scenarios are exactly why the Network Advertising Initiative (NAI) must be on the radar of every health marketer. Founded in 2000, the NAI is a self-regulating body that builds on HIPAA but goes further, providing specific guidance for health advertising. NAI’s Code of Conduct is regularly updated to reflect relevant technologies and developments; it was last updated in 2020 to address health data segments and sensitive conditions. 

NAI requirements are stringent and include an annual review by a member of the compliance team. Opt-in consent is required for the use of Personal and Device-enabled Identifier Information (PII/DII). Furthermore, all data collected, used and retained must be transparent. If it originated from an unqualified source, it won’t pass the audit. This purposeful system built on explicit patient permission assures privacy in all advertising environments and provides direct guidance on patient audiences for targeted marketing. 


Swoop, the first health data technology company to become a member of the NAI, has built over 3,000 privacy-safe patient segments for 42 of the top 50 pharmaceutical brands and 18 of the top 20 healthcare marketing agencies. In addition to NAI compliance, we are HIPAA accredited and embed our proprietary k-anonymity process — a scientific way to de-identify patients — into every custom audience we create. A segment of one is impossible with k-anonymity, which requires data sets of at least two people — 50% is the maximum allowable audience quality (AQ) — to keep identities confidential. Although AQ cannot surpass a 50% prevalence rate, our segments typically include more than 100 to 5,000 times the number of patients found in the general population. 

In the end, nearly every healthcare targeting data provider and DSP have embraced the self-regulatory guidelines of the NAI. This is driven by a belief that safeguarding patient privacy is not just a legal responsibility, but an ethical one as well. Knowing your advertising supply chain is critical for ensuring patient privacy and protecting your brand. So ask your providers if they are a member of the NAI. Anything less is a gamble.

About the Author

John Seaner
Chief Marketing Officer

John leads a team charged with amplifying our brand, communicating the organization’s business value, and earning the loyalty of our clients. He has a 30 year track record of driving innovation, operational improvement, profitable revenue growth and sustainable competitive advantage for technology companies ranging from early-stage startups to global billion-dollar public organizations. John previously served as Chief Marketing Officer of 1010data, provider of analytical intelligence, consumer insights and data sharing solutions; Chief Marketing Officer of Signals Analytics, an early pioneer in the emerging Decision Science as a Service space; and Vice President of Global Growth Marketing at Medidata Solutions, the world’s leading clinical development lifecycle platform utilized by over 1,500 life sciences companies. Throughout his career his teams have earned notable awards and accolades, most recently for pioneering new approaches in account-based marketing, including the use of digital ethnography to uncover the customer decision journey, the utilization of data science to optimize demand activation and the application of signals intelligence to enhance customer empathy. 




Tune Into Condition-Specific Patients – Why Health Marketers Need to Include Broadcast Radio in the Media Mix

By: Emilie Branch, Content Manager, Swoop/IPM.ai

Pharma investment in AM/FM radio has steadily increased year over year; according to Miller Kaplan,...

Read More

Swoop Becomes First Healthcare Data Provider to Integrate Its Audiences with Nielsen

By: Emilie Branch, Content Manager, Swoop/IPM.ai

Swoop has announced a partnership with Nielsen, a global leader in audience measurement, data and...

Read More